Our panel of international experts examines how utilities can embrace a global outlook when it comes to security.
“Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.”
Released in March, this statement formed part of a memorandum released by Radhika Fox, the U.S. Environmental Protection Agency (EPA) Assistant Administrator for Water, stressing the need for states to assess cybersecurity risks.
Threats to operators don’t respect geographic boundaries, the issue facing U.S. water utilities is one many global utilities share. So how can utilities stay secure?
To find out, Making Waves brought together some of Xylem’s brightest minds focused on product and information security: India-based Sindhu Govardhan, Sweden-based Senad Pašalić, China-based Jack Zhou, and U.S.-based Griffin Harrison.
Asking the right questions
For Govardhan, sometimes the first step for utilities is straightforward: ask questions to help raise cybersecurity awareness.
As scrutiny increases, she points to a rapidly growing level of awareness from utilities. She has already found that utilities are asking more questions than ever and encourages all operators to check with their suppliers to learn more about their cybersecurity best practices and the related benefits.
“Customers are becoming much more interested in the subject. We work with them to encourage questions about cybersecurity, not just to us, but to all suppliers."
"The greater their awareness, the better they can respond and comply with standards. That awareness is growing by the day. It is up to us to bring our global expertise to answer their questions,” she said.
Pašalić points to the shift in the industry towards a shared responsibility model, a topic covered in detail in a previous article, as a way that customers and suppliers can work together to answer questions and solve issues quickly.
“The global cybersecurity community is getting good at collaborating. It’s essential that we ask questions, highlight issues, and take an open approach to solving problems together. That helps us help our customers, as we can draw knowledge from lots of areas and share updates,” he added.
Global outlook, local response
One of the concerns facing operators is complying with local, emerging regulatory demands, such as the expansion of the Network and Information Security (NIS) directive known as NIS2, the EU-wide legislation that provides legal measures for a high common level of cybersecurity.
Before getting into the details of local demands, utilities can go to the source. That is why Pašalić points to the importance of internationally recognized standards, such as ISO.
Most local standards refer to international standards (such as ISO 27001 and IEC 62443) and requirements are often mapped to these. If utilities can work with partners to ensure these are applied, they will have a strong framework to work from.
“It is a lot easier to do a gap analysis and see where you might need to meet local requirements when you have a good grounding in the international standards,” he said.
“Differing policies may present some challenges for water operators, which is why it is important to also consider unique local requirements. This is important when making any procurement decisions, so always check with vendors,” Zhou added.
Harnessing global perspectives
Standards aside, a global perspective also helps companies like Xylem ensure that appropriate barriers are built and updated to safeguard systems from very real threats, according to Harrison.
“Different operators will work with many different products from vendors, so having a secure product is just part of the puzzle. Utilities need to develop partnerships so that even in the operation phase they can ensure that the security level does not drop, even as threats around them evolve. We lean on each other to get fresh perspectives and global insights that we can share with operators in our local markets,” he said.
That global knowledge pool also gives a line of sight to potential threats.
“You may have one type of attack common in a region. We have broad visibility to take that knowledge and use it to prepare other operators.”
“It gives us a lot of insight that we can share, and it makes us quicker in arming other operators to defend themselves,” Harrison said.
Secure products mean that utilities can avail themselves of the game-changing potential of digital transformation – a subject discussed in detail in Xylem’s Ripple Effect paper – while improving their level of security.
“Utilities can see the value in connected systems and how approaches like sharing the burden can drive economies of scale that deliver a better-quality product,” Harrison added. “We are starting to overcome the notion that adding connectivity adds risk. That is not necessarily the case and there are a lot of advantages to having a higher degree of connectivity. For municipalities going down this road, they can work with products secured by design and learn from best practices from around the globe.”